Valid login credentials: -
The problem with generic login forms is that the username and password are sent as plaintext, so anybody who is able to sniff packets would be able to steal login credentials. A naïve approach would be to hash the password before sending it; this would stop the attacker from learning the actual password, however they would simply be able to send the hash to the server in order to log in, so this is not a good solution.
My solution here uses a combination of secure hashing together with a randomly generated cryptographic salt (nonce). An attacker is able to learn the login username, password hash and salt by packet sniffing, but without knowing the original password they would never be able to generate the corrent hash as it is salted. Also, capturing the password hash will not work in replay attacks as the salt will be different (it's a cryptographic nonce).
There is a shortcoming: if an attacker is packet-sniffing then there's nothing to stop them stealing the user's PHP session. This of course is a general problem which is not in the scope of this system.